Modularize to match security design patterns:

Leave a flexible framework that will play nicely with other access control / policy definition / trust metric plugins

Other

Added a few helper methods for linking to user pages

Uniform handling of logout, remember_token

Stricter email, login field validation

Minor security fixes — see CHANGELOG

Non-backwards compatible Changes

Here are a few changes in the May 2008 release that increase “Defense in Depth”
but may require changes to existing accounts

If you have an existing site, none of these changes are compelling enough to
warrant migrating your userbase.

If you are generating for a new site, all of these changes are low-impact.
You should apply them.

Passwords

The new password encryption (using a site key salt and stretching) will break
existing user accounts’ passwords. We recommend you use the —old-passwords
option or write a migration tool and submit it as a patch. See the
[[Tradeoffs]] note for more information.

Validations

By default, email and usernames are validated against a somewhat strict pattern; your users’ values may be now illegal. Adjust to suit.

h2. Installation

This is a basic restful authentication generator for rails, taken from
acts as authenticated. Currently it requires Rails 2.2 or above.

IMPORTANT FOR RAILS > 2.1 USERS To avoid a NameError exception (lighthouse tracker ticket), check out the code to have an underscore and not dash in its name:

either use git clone git://github.com/technoweenie/restful-authentication.git restful_authentication

or rename the plugin’s directory to be restful_authentication after fetching it.

The first parameter specifies the model that gets created in signup (typically
a user or account model). A model with migration is created, as well as a
basic controller with the create method. You probably want to say “User” here.

The second parameter specifies the session controller name. This is the
controller that handles the actual login/logout function on the site.
(probably: “Session”).

—include-activation: Generates the code for a ActionMailer and its respective
Activation Code through email.

-stateful: Builds in support for acts_as_state_machine and generates
activation code. (@-stateful@ implies --include-activation). Based on the
idea at [[http://www.vaporbase.com/postings/stateful_authentication]]. Passing--skip-migration will skip the user migration, and --skip-routes will skip
resource generation - both useful if you’ve already run this generator.
(Needs the acts_as_state_machine plugin,
but new installs should probably run with @-aasm@ instead.)

—rspec: Generate RSpec tests and Stories in place of standard rails tests.
This requires theRSpec and Rspec-on-rails plugins
(make sure you “./script/generate rspec” after installing RSpec.) The rspec
and story suite are much more thorough than the rails tests, and changes are
unlikely to be backported.

The below assumes a Model named ‘User’ and a Controller named ‘Session’; please
alter to suit. There are additional security minutae in notes/README-Tradeoffs
— only the paranoid or the curious need bother, though.

Pay attention, may be this is not an issue for everybody, but if you should
have problems, that the sent activation_code does match with that in the
database stored, reload your user object before sending its data through email
something like:

If you use a public repository for your code (such as github, rubyforge,
gitorious, etc.) make sure to NOT post your site_keys.rb (add a line like
‘/config/initializers/site_keys.rb’ to your .gitignore or do the svn ignore
dance), but make sure you DO keep it backed up somewhere safe.